Proper fail2ban configuration

sebres edited this page Aug 22, 2017 · 1 revision

If not reconfigured, Fail2ban will load configuration files from directory /etc/fail2ban. You can find there many files called *.conf.
Before you start fail2ban service, you should do some configurations appropriate to your system. At least to enable jails that you want to protect with fail2ban.


[Q] Should I make my configuration directly in jail.conf and fail2ban.conf?
[A] No. You should avoid to change .conf files, created by fail2ban installation. Instead, you'll write new files having .local extension.

Since this stock files may be overwritten by the package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.
So to set your jail configuration, don't change jail.conf. To customize some filter configuration, don't change filter.conf. Instead, create a new file with .local extension and write there only the settings to overwrite resp. to extend the values of original configuration. For example any values defined in jail.local will override those in jail.conf in the same sections (e. g. [DEFAULT]).

So for example if original .conf file contains:

[DEFAULT]
logpath = /path/to/log

[section1]
logpath = /other/path
enabled = true

[section2]
enabled = true

And you'll create a .local file contains:

[DEFAULT]
logpath = /my-path/to/log

The value of parameter logpath in section1 will be still /other/path.
But value of parameter logpath in section2 will be changed to /my-path/to/log (because it was not specified in section self, and new default value will be used).


[Q] Which configurations are necessary to let fail2ban protect a service?

Answer

[A] You should create a jail.local file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution.

For example if you'll, that fail2ban should ban authorization failures occurred in sshd and nginx, but the error.log of your your nginx-instance is configured as /var/log/my-nginx/error.log you should set also parameter logpath additionally to enabled in section [nginx].

So your jail.local looks like:

[nginx]
logpath = /var/log/my-nginx/error.log
enabled = true

[sshd]
enabled = true

If you use another version of fail2ban as provided from maintainers of your distribution, you should check another parameters (that may be normally specified in some distribution config files), like:

  • several path-parameters of fail2ban service self (specified in fail2ban.conf or includes):
[Definition]
logtarget = /var/log/fail2ban.log
socket =    /var/run/fail2ban/fail2ban.sock
pidfile =   /var/run/fail2ban/fail2ban.pid
dbfile =    /var/run/fail2ban/fail2ban.sqlite3
  • other jail parameters (jail.conf or includes) like backend (e. g. usage of systemd journals expected systemd backend), action resp. banaction (e. g. you can't use iptables if your system does not support it), logpath, etc.

You can also control resp. configure another optional configurations parameters, like ignoreip, etc.


[Q] How I can see the current (merged) configuration, that fail2ban will use by start

Answer

[A] You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands:

# dump parameters:
fail2ban-client -d
# verbose: output config files will be loaded and dump parameters:
fail2ban-client -vd
fail2ban-client -vvd

[Q] How I can notify fail2ban, that the configuration was changed

Answer

[A] You should execute fail2ban-client reload (in previous versions before 0.10 fail2ban-client restart).

You can also get and set corresponding parameter individually, using fail2ban client-server communication protocol. For example:

fail2ban-client set pam-generic logencoding UTF-8
fail2ban-client set nginx findtime 10m

[Q] How should I correctly modify log file locations other than in the jail settings or messing with master .conf files?

Answer

[A] To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated

To create your .local file

Please don't copy it:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp /etc/fail2ban/paths-common.conf /etc/fail2ban/paths-common.local
Just create and edit it with your preferred editor.

Now if you want for example an Nginx filter to read all your Nginx Access Logs for multiple web sites

  • Either do it in jail.local:
    [nginx]
    logpath = /var/log/nginx/*access*.log
    enabled = true
  • Or instead of using in your jail:
    Edit the line in paths-common.local or paths-debian.local (whichever you are using) and add the entry with nginx_access_log line as follows
    [DEFAULT]
    nginx_access_log = /var/log/nginx/*access*.log
    Then in your jail you would rather use
    logpath = %(nginx_access_log)s
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.